ProblemChild Getting Started question

willemdh · May 18, 2021, 7:17pm

Hello,

Just read through ProblemChild: Detecting living-off-the-land attacks using the Elastic Stack | Elastic Blog
which all seems super interesting.

So.. Forgive me for my noobish questions.. But I was wondering how exactly I should start building this on my own Elastic stack.
I guess I need to store the scripts first with How to write scripts | Elasticsearch Guide [7.12] | Elastic ?

As I'm using Winlogbeat, am I supposed to use this pipeline examples/problemchild_features.json at master · elastic/examples · GitHub
while ingesting winlogbeat data so my winlogbeat data contains the correct features fields?

And then do data fram analytics classification on the resulting winlogbeat index?

Best regards,

Willem

Apoorva_Joshi · May 18, 2021, 9:51pm

Hello @willemdh!

Thanks for reaching out. Hope this answers your questions:
Yes you'll first need to set all the scripts (ngram_extractor, normalize_ppath, features_winlogbeat) in your cluster state.
You will then set this ingest pipeline.
Once you've set those, I would suggest using the ingest pipeline to re-index your raw winlogbeat data into another index and using that index to run your Data Frame Analytics jobs. Hope this helps!

system · June 15, 2021, 9:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Changing winlogbeat from elasticsearch to logstash Beats winlogbeat	3	227	February 10, 2024
Logstash not using ingest pipeline with datastreams Logstash ingest-pipeline , datastreams	3	435	July 28, 2022
Winlogbeat Parser Modification Beats elastic-stack-alerting , winlogbeat , elastic-agent	4	467	April 15, 2021
Store data into elasticsearch without parsing Beats filebeat , winlogbeat	2	309	August 26, 2022
Reading data from winlogbeats Beats winlogbeat	1	258	June 29, 2021

ProblemChild Getting Started question

Related topics